Doc of the Day: NSA, DHS Trade Players for Net Defense

The military keeps saying that it only wants to defend its own networks — not yours, civilian. Only if the Department of Homeland Security, which safeguards the civilian internet, comes calling will they help out, the generals insist. Today, the Departments of Homeland Security and Defense started to lay the ground work for how to come calling. And to make the whole thing easier, DHS and the National Security Agency, the super-secret military-intelligence hybrid, will station officials at each other’s headquarters.

Defense Secretary Robert Gates and Homeland Security Secretary Janet Napolitano today released a recently-inked joint accord trying to clarify each department’s roles in the event of a cyber attack. Neither department changed the rules for who protects the dot-com and dot-gov networks (Homeland Security) and who protects the dot-mil domain (Defense). But the document — our Doc of the Day, which you can read below — does establish that the military chocolate is in the civilian peanut butter when it comes to cybersecurity.

Basically, the memo orders a big bureaucratic exchange of personnel. The Department of Homeland Security is going to embed some of its people at the National Security Agency, which already runs telecom surveillance dragnets and works to keep hackers and spies out of government networks. It’ll send over a new Director for Cybersecurity Coordination and a bunch of privacy lawyers and civil-rights officials to ensure that neither NSA nor its military twin, the U.S. Cyber Command, cross any legal boundaries.

But other boundaries are more porous. The new director will send and receive requests for NSA and Cyber Command to collaborate on “joint planning” and “information sharing between the public and private sectors to aid in preventing, detecting, mitigating, and/or recovering from the effects of an attack.” For its part, the NSA will create a “Cryptologic Services Group” inside Homeland Security’s National Cybersecurity and Communications Integration Center.

Then there’s Cyber Command, the new unit responsible for protecting military networks from cyberattack. Its chief, General Keith Alexander, who’s also the NSA’s leader, has said “that’s all our authorities allow us to do — defend and operate within our networks” and that he sees “no role” for Cyber Command in the civilian internet. But Gates and Napolitano see some role. Cyber Command will send personnel to the DHS cyber integration center, where they’ll receive “requests for cybersecurity support” for “operational planning and mission coordination.”

The agreement doesn’t actually specify what each agency will actually do in the event of a cyberattack on civilian networks. But it’s understandable that DHS and the Pentagon would want to get closer. When a hole is found in Windows or Apache or Internet Explorer, both civilian and military machines are compromised. Besides, the Pentagon’s operations rely today on unclassified networks to coordinate supplies, schedule transportation, and share information. In other words, the seemingly bright line between dot-com and dot-mil gets fuzzier and fuzzier the longer you look.

But some privacy advocates aren’t comfortable with the new Gates-Napolitano agreement. Although it says that existing legal authorities won’t change, “the NSA can exert great influence in technical standard-setting that will lead to greater surveillance of network communications,” says Marc Rotenberg, the president of the Electronic Privacy Information Center. EPIC has filed Freedom of Information Act requests for an array of classified cybersecurity documents, including President Bush’s secret directive, known as NSPD-54, clarifying NSA’s cyber-surveillance authority. “We would be a little more confident about the NSA’s role in cybersecurity if they were a little more transparent,” he says.